feat: add auto-rotation scheduler (cron) for key lifecycle management

Add a background thread that periodically checks which keys are due for
rotation and automatically rotates them. The scheduler supports:

- Symmetric keys via KMIP ReKey
- Asymmetric keys (RSA/EC/PQC) via new CreateKeyPair + cross-links
- CoverCrypt keys via ReKeyKeyPair (in-place rotation)
- Certificates via Certify (re-issuance)

New components:
- find_due_for_rotation() in ObjectsStore trait + SQLite/PostgreSQL/MySQL impls
- is_due_for_rotation() helper in locate_query.rs
- auto_rotate.rs: rotation logic per object type
- spawn_auto_rotation_cron() in cron.rs
- --auto-rotation-check-interval-secs CLI flag (default: 0 = disabled)

The rotation policy (rotate_interval, rotate_name, rotate_offset) is
transferred to the new key so the cycle continues. Old keys get
rotate_interval=0 and ReplacementObjectLink to the new key.

Author: Manuthor

CHANGELOG/feat_key-rotation-scheduler.md

@@ -0,0 +1,7 @@
+## Features
+
+- Add background auto-rotation scheduler (cron thread) that periodically checks for keys due for rotation and rotates them automatically
+- Add `--auto-rotation-check-interval-secs` server CLI flag (default: 0 = disabled)
+- Add `find_due_for_rotation` database method (SQLite, PostgreSQL, MySQL) to find Active objects past their rotation interval
+- Implement `auto_rotate_key` logic supporting SymmetricKey (ReKey), PrivateKey/PublicKey (CreateKeyPair or CoverCrypt ReKeyKeyPair), and Certificate (Certify) rotation
+- Transfer rotation policy to new keys and set `ReplacementObjectLink`/`ReplacedObjectLink` cross-links on rotation

Cargo.lock

@@ -20,7 +20,13 @@ doctest = false
 async-trait = { workspace = true }
 cosmian_kmip = { path = "../kmip", version = "5.22.0" }
 cosmian_logger = { workspace = true }
-num-bigint-dig = { workspace = true, features = ["std", "rand", "serde", "zeroize"] }
+num-bigint-dig = { workspace = true, features = [
+  "std",
+  "rand",
+  "serde",
+  "zeroize",
+] }
 serde_json = { workspace = true }
 thiserror = { workspace = true }
+time = { workspace = true }
 zeroize = { workspace = true, default-features = true }

crate/interfaces/Cargo.toml

@@ -5,6 +5,7 @@ use cosmian_kmip::{
     kmip_0::kmip_types::State,
     kmip_2_1::{kmip_attributes::Attributes, kmip_objects::Object},
 };
+use time::OffsetDateTime;
 
 use crate::{InterfaceResult, ObjectWithMetadata};
 
@@ -117,4 +118,16 @@ pub trait ObjectsStore {
     ) -> InterfaceResult<Vec<(String, State, Attributes)>> {
         Ok(vec![])
     }
+
+    /// Return UIDs of all Active objects that have a `rotate_interval > 0` and whose
+    /// next rotation instant is ≤ `now`.
+    ///
+    /// The next rotation instant is computed as:
+    /// - `rotate_date + rotate_interval`  (if `rotate_date` is set), or
+    /// - `initial_date + rotate_interval + rotate_offset` (if `rotate_date` is None)
+    ///
+    /// The default implementation returns an empty list; backends should override.
+    async fn find_due_for_rotation(&self, _now: OffsetDateTime) -> InterfaceResult<Vec<String>> {
+        Ok(vec![])
+    }
 }

crate/interfaces/src/stores/objects_store.rs

@@ -70,6 +70,7 @@ impl Default for ClapConfig {
             aws_xks_config: AwsXksConfig::default(),
             kmip_policy: KmipPolicyConfig::default(),
             azure_ekm_config: AzureEkmConfig::default(),
+            auto_rotation_check_interval_secs: 0,
         }
     }
 }
@@ -213,6 +214,11 @@ pub struct ClapConfig {
     #[clap(flatten)]
     #[serde(rename = "kmip")]
     pub kmip_policy: KmipPolicyConfig,
+
+    /// Interval in seconds between background auto-rotation checks.
+    /// Set to 0 (default) to disable the auto-rotation background task.
+    #[clap(long, default_value = "0", verbatim_doc_comment)]
+    pub auto_rotation_check_interval_secs: u64,
 }
 
 impl ClapConfig {
@@ -651,6 +657,10 @@ impl fmt::Debug for ClapConfig {
             x.field("aws_xks_enable", &self.aws_xks_config.aws_xks_enable)
         };
         let x = x.field("kmip", &self.kmip_policy);
+        let x = x.field(
+            "auto_rotation_check_interval_secs",
+            &self.auto_rotation_check_interval_secs,
+        );
 
         x.finish()
     }

crate/server/src/config/command_line/clap_config.rs

@@ -164,6 +164,10 @@ pub struct ServerParams {
     /// Client-supplied `MaximumItems` is clamped to this value; when absent the cap is
     /// applied automatically. Prevents unbounded DB queries and large response payloads.
     pub max_locate_items: u32,
+
+    /// Interval in seconds between background auto-rotation checks.
+    /// 0 means disabled.
+    pub auto_rotation_check_interval_secs: u64,
 }
 
 /// Represents the server parameters.
@@ -414,6 +418,7 @@ impl ServerParams {
             rate_limit_per_second: conf.http.rate_limit_per_second,
             cors_allowed_origins: conf.http.cors_allowed_origins.unwrap_or_default(),
             max_locate_items: 1000,
+            auto_rotation_check_interval_secs: conf.auto_rotation_check_interval_secs,
         };
 
         debug!("{res:#?}");
@@ -637,6 +642,10 @@ impl fmt::Debug for ServerParams {
         debug_struct.field("rate_limit_per_second", &self.rate_limit_per_second);
         debug_struct.field("cors_allowed_origins", &self.cors_allowed_origins);
         debug_struct.field("max_locate_items", &self.max_locate_items);
+        debug_struct.field(
+            "auto_rotation_check_interval_secs",
+            &self.auto_rotation_check_interval_secs,
+        );
 
         debug_struct.finish()
     }